Don’t Click on Links in LinkedIn Emails (There’s a Pun There Somewhere That I’m Missing)

Phishing emails can appear in several different ways. Our 10 Tips for Detecting Phishing Emails infographic provides you with a cheatsheet of what to look for in unfamiliar emails. It's derived from our Cyber Security Awareness Education offering.

Many of us take advantage of social media services like LinkedIn. So it’s not surprising that social engineers take advantage of social media users. Here is a quick cautionary tale that is a great reminder of our potential vulnerability, and also illustrates an easy and highly effective way to avoid being phished.

A Successful LinkedIn Spoofing Email

We were recently asked to conduct a security assessment for a small manufacturing firm. Their corporate AMEX card had been compromised and they were concerned their network had been “hacked.”

While their network security had “room for improvement,” we did not find any evidence of compromise. Suspecting they may have been victims of a phishing attack, we reviewed the email logs for the impacted employee and interviewed the employee to get a sense of his email practices and overall phishing awareness.

The employee was moderately phishing/social engineering aware, but was an avid user of LinkedIn and “didn’t think it was really possible” for LinkedIn emails to be spoofed. It turned out he had received a well-constructed phishing email indicating there was a problem with his LinkedIn account. The phish included a hyperlink that directed him to a fake LinkedIn website, where he provided the credit card information he used to create the account to “verify his credit card in order to keep his account in good standing.”

How to Avoid Clicking Bad Links From LinkedIn

The easiest way to deal with any email message from LinkedIn—or any other account—directing you to login is to delete the message. Don’t click the link in the email! Then, log into your account directly to see whether the invite, message or account inquiry is legitimate.